[Vpn-help] Iked.exe dies
Peter Eisch
peter at boku.net
Tue Oct 23 22:12:44 CDT 2007
Hi Matt, long time no chat...
Brian and I were chatting about pulling back around and trying this again,
so I figured no better time than tonight. Server end is ipsec-tools 0.6.7
(yet) with the config. It seems that iked tanks just as it receives the
first full message from the server. It starts comparing the subject of the
cert and <poof> it's gone.
Ideas?
peter
remote anonymous {
exchange_mode main,aggressive;
ca_type x509 "ca.crt";
certificate_type x509 "gw.adomain.com.crt" "gw.adomain.com.key";
my_identifier asn1dn;
proposal_check claim;
lifetime time 24 hour;
generate_policy on;
generate_policy unique; # for after 0.6.6
nat_traversal on;
dpd_delay 20;
ike_frag on;
doi ipsec_doi;
proposal {
encryption_algorithm aes;
hash_algorithm sha1;
authentication_method xauth_psk_server;
dh_group 2;
}
proposal {
encryption_algorithm aes;
hash_algorithm sha1;
authentication_method hybrid_rsa_server;
dh_group 2;
}
proposal {
encryption_algorithm 3des;
hash_algorithm md5;
authentication_method hybrid_rsa_server;
dh_group 2;
}
}
mode_cfg {
network4 10.1.202.1;
pool_size 253;
netmask4 255.255.255.0;
auth_source radius;
conf_source radius;
banner "/etc/racoon/domain.motd";
default_domain "adomain.com";
dns4 <domain master>;
wins4 <domain master>;
pfs_group 2;
}
# phase 2
sainfo anonymous {
pfs_group 2;
lifetime time 1 hour;
encryption_algorithm aes, 3des;
authentication_algorithm hmac_md5, hmac_sha1;
compression_algorithm deflate;
}
And the log, without a lot of debug produces innocuous results:
Oct 23 21:42:18 vpngw racoon: INFO: respond new phase 1 negotiation:
10.1.101.12[500]<=>204.130.132.13[500]
Oct 23 21:42:18 vpngw racoon: INFO: begin Aggressive mode.
Oct 23 21:42:18 vpngw racoon: INFO: received Vendor ID:
draft-ietf-ipsra-isakmp-xauth-06.txt
Oct 23 21:42:18 vpngw racoon: INFO: received Vendor ID:
draft-ietf-ipsec-nat-t-ike-02
Oct 23 21:42:18 vpngw racoon: INFO: received Vendor ID: RFC 3947
Oct 23 21:42:18 vpngw racoon: INFO: received broken Microsoft ID:
FRAGMENTATION
Oct 23 21:42:18 vpngw racoon: INFO: received Vendor ID: DPD
Oct 23 21:42:18 vpngw racoon: INFO: received Vendor ID: CISCO-UNITY
Oct 23 21:42:18 vpngw racoon: INFO: Selected NAT-T version: RFC 3947
Oct 23 21:42:37 vpngw racoon: ERROR: phase1 negotiation failed due to time
up. a3c6f0e5e96ae7d4:b87ec37e20c533cb
Oct 23 21:43:18 vpngw racoon: ERROR: phase1 negotiation failed due to time
up. ba634aecbfdc4a7c:2e79b6ac634e3d4c
On the client I just have the same config as last spring opened and then
saved resulting in:
n:network-ike-port:500
n:client-addr-auto:1
n:network-natt-port:4500
n:network-natt-rate:30
n:network-dpd-enable:1
n:network-frag-enable:1
n:network-frag-size:540
n:client-banner-enable:1
n:network-notify-enable:1
n:client-wins-used:1
n:client-wins-auto:1
n:client-dns-used:1
n:client-dns-auto:1
n:client-splitdns-used:0
n:client-splitdns-auto:1
n:phase1-dhgroup:2
n:phase1-life-secs:86400
n:phase1-life-kbytes:0
n:phase2-life-secs:3600
n:phase2-life-kbytes:0
n:policy-list-auto:1
s:network-natt-enable:enable
s:phase2-compress:none
s:policy-list-type:include
s:network-host:gw.adomain.com
s:client-auto-mode:pull
s:client-iface:virtual
s:network-natt-mode:enable
s:network-frag-mode:enable
s:auth-method:hybrid-rsa-xauth
s:ident-client-type:address
s:ident-server-type:asn1dn
s:ident-server-data:C=US, ST=Minnesota, L=Minneapolis, O=Company, Inc.,
OU=Managed Services, CN=gw.adomain.com/emailAddress=peter at adomain.com
s:auth-server-cert:ca.crt
s:phase1-exchange:aggressive
s:phase1-cipher:3des
s:phase1-hash:md5
s:phase2-transform:esp-3des
s:phase2-hmac:md5
s:ipcomp-transform:disabled
n:phase2-pfsgroup:2
########## iked.log ###########
## : IKE Daemon, ver 2.0.1
## : Copyright 2007 Shrew Soft Inc.
## : This product linked OpenSSL 0.9.8e 23 Feb 2007
ii : opened C:\Documents and
Settings\peisch.VSIHQ\Desktop\ShrewLogs\iked.log'
ii : opened C:\Program Files\ShrewSoft\VPN Client/debug/dump-ike.cap'
!! : failed to open C:\Program Files\ShrewSoft\VPN
Client/debug/dump-pub.cap
ii : rebuilding vnet device list ...
ii : device ROOT\VNET\0000 disabled
ii : network process thread begin ...
ii : pfkey process thread begin ...
ii : admin process thread begin ...
<A : peer config add message
DB : peer ref increment ( ref count = 1, peer count = 0 )
DB : peer added
ii : local address myaddr:500 selected for peer
DB : tunnel ref increment ( ref count = 1, tunnel count = 0 )
DB : peer ref increment ( ref count = 2, peer count = 1 )
DB : tunnel added
<A : proposal config message
<A : proposal config message
<A : client config message
<A : xauth username message
<A : xauth password message
<A : remote id 'C=US, ST=Minnesota, L=Minneapolis, O=Domain, Inc.,
OU=Managed Services, CN=gw.adomain.com/emailAddress=peter at adomain.com'
message
<A : remote cert 'ca.crt' message
<A : peer tunnel enable message
DB : new phase1 ( ISAKMP initiator )
DB : exchange type is aggressive
DB : myaddr:500 <-> gwaddr:500
DB : 71d8c4a44aa5df7f:0000000000000000
DB : phase1 ref increment ( ref count = 1, phase1 count = 0 )
DB : tunnel ref increment ( ref count = 2, tunnel count = 1 )
DB : phase1 added
>> : security association payload
>> : - proposal #1 payload
>> : -- transform #1 payload
>> : key exchange payload
>> : nonce payload
>> : identification payload
>> : vendor id payload
>> : vendor id payload
>> : vendor id payload
>> : vendor id payload
>> : vendor id payload
>> : vendor id payload
-> : send IKE packet myaddr:500 -> gwaddr:500 ( 396 bytes ) =
0x : 4500018c 657a0000 4011cd3e cc82840d ce09280f 01f401f4 01783112
71d8c4a4
0x : 4aa5df7f 00000000 00000000 01100400 00000000 00000170 04000038
00000001
0x : 00000001 0000002c 01010001 00000024 01010000 80010005 80020001
80040002
0x : 8003fadd 800b0001 000c0004 00015180 0a000084 f61ba2f5 98b7ca03
cca12edc
0x : 8e4b8ccd 8c1a1389 4c36fb35 65fd4dba ed2e6417 bed0353e 97bf5134
1a963d6d
0x : f32a85f7 a5724fb2 b120b5b4 f7a7b6c9 8619ecc5 7353e607 64ddfdcf
8bba3424
0x : db972fdd db7bce34 1eba826d de142293 fa26496a 71c9566c a4a64e24
063b7a6d
0x : 88ab1956 101ccad9 1b8d7ba5 bfef0072 b009a300 05000018 961a85f8
4afdb7a5
0x : 5b4a321f fd90e4f1 f0c63684 0d00000c 01000000 cc82840d 0d00000c
09002689
0x : dfd6b712 0d000014 90cb8091 3ebb696e 086381b5 ec427b1f 0d000014
4a131c81
0x : 07035845 5c5728f2 0e95452f 0d000018 4048b7d5 6ebce885 25e7de7f
00d6c2d3
0x : 80000000 0d000014 afcad713 68a1f1c9 6b8696fc 77570100 00000014
12f5f28c
0x : 457168a9 702d9fe2 74cc0100
DB : phase1 ref increment ( ref count = 2, phase1 count = 1 )
DB : phase1 ref decrement ( ref count = 1, phase1 count = 1 )
<- : recv IKE packet gwaddr:500 -> myaddr:500 ( 548 bytes ) =
0x : 71d8c4a4 4aa5df7f b3f97fd3 06f04a1f 84100400 00000000 00000224
00000208
0x : 00010100 71d8c4a4 4aa5df7f b3f97fd3 06f04a1f 01100400 00000000
00000793
0x : 04000038 00000001 00000001 0000002c 01010001 00000024 01010000
80010005
0x : 80020001 80040002 8003fadd 800b0001 000c0004 00015180 0a000084
2f395790
0x : e73819a3 591056e9 f9267b7b 4668b258 5ad92e2a b9a9a331 d9593908
ddd78aa3
0x : df0d2d05 5cec30c8 49337b0a ed9f392d 3f6eb1e5 1596fdb0 424e97be
350680c9
0x : b52f604d 1dbe6a0b 4a1d9abc 3851a36b 81e15227 ae34bf6c 9e68a4d7
f9c58029
0x : 3721e321 c807ca4b 6e85cac1 01c8d611 85baeb76 7fd08c85 0a5e052f
05000014
0x : ccecadc6 a1930dd1 9ccbe050 45a2b461 060000cb 09000000 3081c031
0b300906
0x : 03550406 13025553 31123010 06035504 0813094d 696e6e65 736f7461
31143012
0x : 06035504 07130b4d 696e6e65 61706f6c 6973311a 30180603 55040a13
11566973
0x : 696f6e53 68617265 2c20496e 632e3119 30170603 55040b13 104d616e
61676564
0x : 20536572 76696365 73312130 1f060355 04031318 76706e67 772e7669
73696f6e
0x : 73686172 65696e63 2e636f6d 312d302b 06092a86 4886f70d 01090116
1e706574
0x : 65722e65 69736368 40766973 696f6e73 68687265 696e632e 636f6d09
0004d004
0x : 308204c7 308203af a0030201 02020109 300d0609 2a864886 f70d0101
04050030
0x : 81c0310b 30090603 55040613 02555331 12301006 03550408 13094d69
6e6e6573
0x : 6f746131
DB : phase1 found
DB : phase1 ref increment ( ref count = 2, phase1 count = 1 )
<< : fragment payload
ii : ike fragment received, waiting on complete packet
DB : phase1 ref decrement ( ref count = 1, phase1 count = 1 )
<- : recv IKE packet gwaddr:500 -> myaddr:500 ( 548 bytes ) =
0x : 71d8c4a4 4aa5df7f b3f97fd3 06f04a1f 84100400 00000000 00000224
00000208
0x : 00010200 14301206 03550407 130b3d69 6e6e6561 706f6c69 73311a30
18060355
0x : 040a1311 56697369 6f6e5368 6172652c 20496e63 2e311930 17060355
040b1310
0x : 4d616e61 67656420 53657276 69636573 3121301f 06035504 03131876
706e6361
0x : 2e766973 696f6e73 68617265 696e632e 636f6d31 2d302b06 092a8648
86f70d01
0x : 0901161e 70657465 722e6569 73636840 76697369 6f6e7368 61726569
6e632e63
0x : 6f6d301e 170d3037 30313033 30323138 35365a17 0d303930 33313330
32313835
0x : 365a3081 c0310b30 09060355 04061302 55533112 30100603 55040813
094d696e
0x : 6e65736f 74613114 30120603 55040713 0b4d696e 6e656170 6f6c6973
311a3018
0x : 06035504 0a131156 6973696f 6e536861 72652c20 496e632e 31193017
06035504
0x : 0b13104d 616e6167 65642053 65727669 63657331 21301f06 03550403
13187670
0x : 6e67772e 76697369 6f6e7368 61726569 6e632e63 6f6d312d 302b0609
2a864886
0x : f70d0109 01161e70 65746572 2e656973 63684076 6973696f 6e736861
7265696e
0x : 632e636f 6d30819f 300d0609 2a864886 f70d0101 01050003 818d0030
81890281
0x : 8100b48d 4b17205d dceb0806 1ddfb39d 592644d1 56849095 34251db3
3d69edbd
0x : af230e2a b40df910 154d7759 e071ede4 9d00c414 7223053b 5a0d657b
3eeb72f2
0x : 64d6eab3 14badab9 fe395212 7a64e2a1 c45220c4 e81434f1 c152b8a7
49bcf801
0x : 909aaa50
DB : phase1 found
DB : phase1 ref increment ( ref count = 2, phase1 count = 1 )
<< : fragment payload
ii : ike fragment received, waiting on complete packet
DB : phase1 ref decrement ( ref count = 1, phase1 count = 1 )
<- : recv IKE packet gwaddr:500 -> myaddr:500 ( 548 bytes ) =
0x : 71d8c4a4 4aa5df7f b3f97fd3 06f04a1f 84100400 00000000 00000224
00000208
0x : 00010300 fb665fdc fbcd35a3 cdcdcfeb aaaa641e d3de1e90 c5b55dc0
461f32da
0x : 10050203 010001a3 82014c30 82014830 09060355 1d130402 3000302c
06096086
0x : 480186f8 42010d04 1f161d4f 70656e53 534c2047 656e6572 61746564
20436572
0x : 74696669 63617465 301d0603 551d0e04 16041491 aaf3ad4f 0f205da9
16351332
0x : 743b4feb c768cb30 81ed0603 551d2304 81e53081 e2801485 ce35c882
035a3bef
0x : 4712c789 ba3502bc 747f0ba1 81c6a481 c33081c0 310b3009 06035504
06130255
0x : 53311230 10060355 04081309 4d696e6e 65736f74 61311430 12060355
0407130b
0x : 4d696e6e 6561706f 6c697331 1a301806 0355040a 13115669 73696f6e
53686172
0x : 652c2049 6e632e31 19301706 0355040b 13104d61 6e616765 64205365
72766963
0x : 65733121 301f0603 55040313 1876706e 63612e76 6973696f 6e736861
7265696e
0x : 632e636f 6d312d30 2b06092a 864886f7 0d010901 161e7065 7465722e
65697363
0x : 68407669 73696f6e 73686172 65696e63 2e636f6d 82010030 0d06092a
864886f7
0x : 0d010104 05000382 01010026 60711b01 e7b91400 561c5c3f 9e9f48bb
a48e7d44
0x : 8aeaad2c 981328ca 032e5ea2 8e5a8d68 90cc466c 6f72c7ab 12f4c950
f46ceccb
0x : 2f895137 f03b0777 710b63a0 6af138af f5f551ff f724f381 13e3fed5
fb7d1ed6
0x : 8c60894a fd764477 33659a5f 40d18a7e 70e86a1d 3be0187e 1ac6ee07
b18002a9
0x : df39c109
DB : phase1 found
DB : phase1 ref increment ( ref count = 2, phase1 count = 1 )
<< : fragment payload
ii : ike fragment received, waiting on complete packet
DB : phase1 ref decrement ( ref count = 1, phase1 count = 1 )
<- : recv IKE packet gwaddr:500 -> myaddr:500 ( 439 bytes ) =
0x : 71d8c4a4 4aa5df7f b3f97fd3 06f04a1f 84100400 00000000 000001b7
0000019b
0x : 00010401 6f68b95f ac1fefe9 6fcbe12a a93fd7dd 19fc5009 55a678bb
dc739e22
0x : fd9a9e8d 0b0fed92 a57f70ac bac3bc8e 864de724 412e3d54 cf6558fc
5606dd4c
0x : 7002975a 3516537a 3f9895cf 446729fb dc8c7fca af02850a 1b7c88d6
93d5c174
0x : 434351ab 372b8916 9580b3ae ea1868d3 a2909e61 fecbf000 87dfd2ad
7f19b4e5
0x : 7084f439 161367a2 a669730d 0000841f 15d61b16 3bb3092f af0bc6aa
8c8d65c1
0x : c0632f8c b8d74b24 c007949e 5afa3d32 9bf5466c 0e6c12fd 865ba4e3
7db74af5
0x : 3c851930 dfa4bdeb 1c8357a1 3292a9d5 9f15a0a1 203fb0aa bc81d102
2c4bd2a6
0x : fe5933ff e96dea06 1484396f e3b0bd02 2f386640 23318234 967088b3
f34f31c6
0x : c9aeb0ce 5f32fdaa 2509ebfc 7b25b20d 00000c09 002689df d6b7120d
00001412
0x : f5f28c45 7168a970 2d9fe274 cc010014 0000144a 131c8107 0358455c
5728f20e
0x : 95452f14 000014b1 388825c9 cd61b7db 4518b67e 3f70930d 000014a4
a56338a4
0x : eb440092 45899339 6f63a80d 00001840 48b7d56e bce88525 e7de7f00
d6c2d380
0x : 00000000 000014af cad71368 a1f1c96b 8696fc77 570100
DB : phase1 found
DB : phase1 ref increment ( ref count = 2, phase1 count = 1 )
<< : fragment payload
ii : ike fragment received, processing complete packet
<< : security association payload
<< : - propsal #1 payload
<< : -- transform #1 payload
ii : matched isakmp proposal #1 transform #1
ii : - transform = ike
ii : - cipher type = 3des
ii : - key length = default
ii : - hash type = md5
ii : - dh group = modp-1024
ii : - auth type = hybrid-initiator-rsa
ii : - life seconds = 86400
ii : - life kbytes = 0
<< : key exchange payload
<< : nonce payload
<< : identification payload
ii : asn1_text C = US
ii : asn1_text ST = Minnesota
ii : asn1_text L = Minneapolis
ii : asn1_text O = Company, Inc.
ii : asn1_text OU = Managed Services
ii : asn1_text CN = gw.adomain.com
ii : asn1_text emailAddress = peter at adomain.com
######### EOF ##########
## : IPSEC Daemon, ver 2.0.1
## : Copyright 2007 Shrew Soft Inc.
## : This product linked OpenSSL 0.9.8e 23 Feb 2007
## : This product linked zlib v1.2.3
!! : failed to open 'dump-pub.cap'
ii : opened 'dump-frg.cap'
ii : opened 'dump-prv.cap'
ii : network send process thread begin ...
ii : network recv process thread begin ...
ii : opened vflt device
ii : opened vflt recv device
ii : pfkey process thread begin ...
K< : message REGISTER AH received
K< : message REGISTER ESP received
K< : message REGISTER IPCOMP received
K< : recv X_SPDDUMP UNSPEC message
ii : pfkey process thread begin ...
K< : recv DUMP UNSPEC message
K< : recv X_SPDDUMP UNSPEC message
ii : pfkey process thread exit ...
ii : pfkey process thread begin ...
K< : message REGISTER AH received
K< : message REGISTER ESP received
K< : message REGISTER IPCOMP received
K< : recv X_SPDDUMP UNSPEC message
ii : pfkey process thread exit ...
ii : pfkey process thread begin ...
K< : message REGISTER AH received
K< : message REGISTER ESP received
K< : message REGISTER IPCOMP received
K< : recv X_SPDDUMP UNSPEC message
ii : pfkey process thread exit ...
ii : inspecting ARP request ...
DB : policy not found
ii : inspecting ARP request ...
DB : policy not found
More information about the vpn-help
mailing list